aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKishen Maloor <kishen.maloor@intel.com>2018-12-11 17:37:48 -0800
committerKishen Maloor <kishen.maloor@intel.com>2018-12-14 04:06:08 +0000
commitf303871d9f0ef26e4da91c294a8e6aea29e4617b (patch)
tree2f8bc88c6910466dab640c298e2f6af04d00c86f
parentb0c990b2547de2082aa695c7b727d2a45eb38542 (diff)
oc_cred:save privkey in provisioned identity cert
This change adds logic when the OBT/CMS provisions an identity certificate (chain) through a request to check if whether or not the request contained a privatedata entry. If it did not, we fetch the deviceuuid of the logical device hosting this /oic/sec/cred instance and try to match it against the subjectuuid of the cred request representation. If they don't match, we reject this request as we do not know its private key. If they match, we obtain the keypair for this logical device, retrieve its private key, and store it into the privatedata property of this new cred entry and proceed with further processing of this request. Change-Id: Ice0c9dc8987553962f21726a3a573a238b8e661e Signed-off-by: Kishen Maloor <kishen.maloor@intel.com> Reviewed-on: https://gerrit.iotivity.org/gerrit/27767
-rw-r--r--security/oc_cred.c39
1 files changed, 33 insertions, 6 deletions
diff --git a/security/oc_cred.c b/security/oc_cred.c
index 1442e51..aa19999 100644
--- a/security/oc_cred.c
+++ b/security/oc_cred.c
@@ -22,6 +22,7 @@
#include "oc_config.h"
#include "oc_core_res.h"
#include "oc_doxm.h"
+#include "oc_keypair.h"
#include "oc_pstat.h"
#include "oc_store.h"
#include "oc_tls.h"
@@ -119,7 +120,7 @@ oc_sec_remove_cred(oc_sec_cred_t *cred, size_t device)
if (cred->credtype == OC_CREDTYPE_CERT) {
if (cred->credusage != OC_CREDUSAGE_TRUSTCA &&
cred->credusage != OC_CREDUSAGE_MFG_TRUSTCA) {
- oc_tls_remove_identity_cert(cred, device);
+ oc_tls_remove_identity_cert(cred);
} else {
oc_tls_remove_trust_anchor(cred);
}
@@ -264,11 +265,6 @@ oc_sec_add_new_cred(size_t device, int credid, oc_sec_credtype_t credtype,
return -1;
}
- /* remove duplicate cred, if one exists. */
- if (!unique_credid(credid, device)) {
- oc_sec_remove_cred_by_credid(credid, device);
- }
-
oc_uuid_t subject;
if (subjectuuid[0] == '*') {
memset(&subject, 0, sizeof(oc_uuid_t));
@@ -278,6 +274,26 @@ oc_sec_add_new_cred(size_t device, int credid, oc_sec_credtype_t credtype,
}
#ifdef OC_PKI
+ oc_ecdsa_keypair_t *kp = NULL;
+
+ if (credusage == OC_CREDUSAGE_IDENTITY_CERT && privatedata_size == 0) {
+ oc_uuid_t *uuid = oc_core_get_device_id(device);
+ if (memcmp(uuid->id, subject.id, 16) != 0) {
+ return -1;
+ }
+ kp = oc_sec_get_ecdsa_keypair(device);
+ if (!kp) {
+ return -1;
+ }
+ }
+#endif /* OC_PKI */
+
+ /* remove duplicate cred, if one exists. */
+ if (!unique_credid(credid, device)) {
+ oc_sec_remove_cred_by_credid(credid, device);
+ }
+
+#ifdef OC_PKI
oc_sec_cred_t *chain = NULL;
#endif /* OC_PKI */
oc_sec_cred_t *cred = NULL;
@@ -359,6 +375,10 @@ oc_sec_add_new_cred(size_t device, int credid, oc_sec_credtype_t credtype,
uint8_t key[24];
memcpy(key, privatedata, 24);
int key_size = oc_base64_decode(key, 24);
+ if (key_size < 0) {
+ oc_sec_remove_cred(cred, device);
+ return -1;
+ }
oc_new_string(&cred->privatedata.data, (const char *)key, key_size);
privatedata_encoding = OC_ENCODING_RAW;
} else {
@@ -367,6 +387,13 @@ oc_sec_add_new_cred(size_t device, int credid, oc_sec_credtype_t credtype,
}
cred->privatedata.encoding = privatedata_encoding;
}
+#ifdef OC_PKI
+ else if (kp) {
+ oc_new_string(&cred->privatedata.data, (const char *)kp->private_key,
+ kp->private_key_size);
+ cred->privatedata.encoding = OC_ENCODING_DER;
+ }
+#endif /* OC_PKI */
/* roleid */
if (role) {